Showing results for 
Search instead for 
Did you mean: 


Cisco ASA 5506-X The crypto ca server command is being deprecated in future release?? Why?

I get this message now when I add a new user for in the local CA server.  Is Cisco removing the local CA server completely from the 5506-X?? WHY?


VIP Expert

Yes you are correct as per 9.12 release notes.


***** Rate All Helpful Responses *****

How to Ask The Community for Help



The 9.12 release notes states that "This feature has become obsolete...". Is there another feature replacing it?


I'm running a Local CA server and issue certificates for devices that connect to VPN. This adds a layer of security since a valid certificate besides a password is required to be able to connect to the VPN service. Is there another way of doing this in the future if ASAs will no longer have the Local CA feature?

The other options are getting the certificate signed by a public CA such as Verisign or Comodo. Alternatively you could use a Cisco IOS router as a CA or a Windows Server.




Thanks for your response. Can you please point me to some documentation on how to configure the user certificates on the ASA if they are from a public CA? Until now I always issued the user certificates from the ASA's local CA.


As I mentioned before, we use both a valid user certificate and a valid username\password combo to authenticate AnyConnect VPN clients.



I'm talking about the User Certificates. If the Local CA will be gone, how do I install certs from other CA's in the ASA for the AnyConnect VPN users (AAA/Local Users). I am authenticating them with username\password and a certificate.



The document provide you to generate Certifiace from Public CA and install on ASA for the users to use.


***** Rate All Helpful Responses *****

How to Ask The Community for Help



We are also using the local CA server at present.  I understand that once it's gone we won't be able to issue new certificates, but does anyone know if it will also render current certificates invalid?  My assumption is that it will as there will be no CA to validate the certificates against.


I know it's probably a bit of a stab in the dark but does anyone have any guesses as to when Cisco are likely to remove CA server completely, i.e. how much time do I realistically have to implement an alternative?


Many thanks,




As long as the client still trusts the CA then the issued certificates will remain valid, (as long as they are in date, and not on a revoke list).


As for when it will be retired - who knows :(

Peter Long

Use the following to deploy Window sCertificat eServicves to do the same job


Hi. Great video! I think there's some misunderstanding in this thread though.


Our ASA has a certificate from a public CA, that's not the problem.


Remote AnyConnect client software (mobile and laptops) connect to our ASA via IPSec tunnel and are required to have a valid username\password combination AND A VALID USER CERTIFICATE. This user certificate (which is installed on the clients both mobile devices and laptops) is issued by the ASA's Local CA by adding a user, see the attached pic. If I start issuing certs to my users from a public CA will the ASA accept the certificate?



The cert on your ‘outside’ interface can be publicly signed, if you want to use self CA Signed user certificates from your own CA (usually by domain auto enrolment), then you just need to import the root CA from your Windows CA into the firewall and the firewall will trust those certs 😊

At present you have a public signed Cert on the ASA, and privately signed certs for your users, from ASA CA

If you switch to

Publicly signed certificate on the ASA and privately signed certificates from Windows CA


Then nothing changes with your public cert, leave it where it is its fine.

You simply need to


1. Issue user certs to your users (Auto enrolment will do that for you)

2. Import the Root CA cert from your Windows CA onto the ASA and it will trust your user certs.



The answer I've been looking for! Thank you so much, I have been avoiding software updates on the ASA because of this. Now I can go ahead (after making a proper CA) :D

Content for Community-Ad